The last time I attended VMworld, virtual desktop infrastructure (VDI) was the cool new kid on the block and tools to control VM sprawl were getting a lot of looks on the show floor. Fast forward a few years to next week’s event and the complexion of the data center is under a fundamental shift best characterized by agility, the core business benefit of cloud computing and software-defined infrastructure. I return to VMworld with a keen interest in understanding how VMware, and its ecosystem of partners, are working to secure today’s agile data center and hearing from customers on how the way they view the cloud computing paradigm affects their cybersecurity posture.
Companies not born of the digital age are actively evaluating how they can realize the same level of agility as cloud native market disrupters such as Airbnb, Dropbox, Netflix, and others. In addition to the attractive economics of a utility model, enterprises in transition seek the competitive edge realized by dramatically shortening time to deployment, auto-scaling, and deploying a new fleet of workloads without manually re-provisioning. That’s agility, and to get it organizations can move workloads to a public IaaS/PaaS cloud, stand up a private cloud, and\or provision micro-segmented networks. All of these approaches provide interfaces to enable the continuous development, integration, and deployment core to an agile approach. However, as compelling as these benefits are, there are obstacles to adoption. According to ESG Research conducted earlier this year, security concerns were cited as the top factor hindering the more pervasive use of cloud computing services. But what’s really different about the modern data center and are there, in fact, scenarios for an improved security posture?
- The DevOps Opportunity: Security best practices start with policies, user education, and processes. The agile infrastructure stack is provisioned, tested, monitored, and optimized vis-a-vis a DevOps methodology representing an opportunity to incorporate security best practices right up front including, for example, checking for vulnerabilities in the continuous integration phase. In a DevOps context, security doesn’t, and shouldn’t, come later. This includes securing access to today’s equivalent of configuration management servers that orchestrate workload deployment with best practices such as two-factor authentication and "trust, but verify" audits of root level system administration activities.
- Reducing the Window of Vulnerability with Immutable Infrastructure: Auto-scaling to meet the load demands of an application could very well result in cloning workloads that include a vulnerability effectively expanding the attack surface area. But unlike the data center of yesteryear where Patch Tuesday was part of the IT operational cadence, today’s infrastructure teams can employ a blue-green cutover strategy to reduce the window of vulnerability. This approach with immutable infrastructure mitigates the risk associated with software vulnerabilities by expediting deploying a new set of updated workloads to production.
- Containing Containers: Containers are this year’s cool kid, as they should be, given their promising “shift and lift” role in providing further agility. Isolating applications from the underlying host layer offers some protection while inter and intra container security controls to prevent cross container contamination are starting to hit the scene for further protection.
- Security as a Killer App: Micro-Segmentation represents the potential for security services to be baked into the stack so each instance is provisioned with the right set of controls. This approach also holds some promise in lowering the operational cost that plagues security with automation.
So much written about security is doom and gloom, understandably so, given the dangerous threat landscape. But I see opportunities to secure the agile data center if we can swim security best practices upstream in the infrastructure lifecycle. Given that security is still speed bump number #1 in cloud adoption slowing enterprises from making the move, security should be a front and center topic next week. While VMworld isn’t a security show per se, it is the seminal data center event of the year, and with the data center undergoing an overhaul, these are some of the security topics I look to be discussed on stage and on the floor.